[00:00.000 --> 00:05.820]  Hello and welcome to Health Information Privacy Ask an Expert. I'm Lucia Savage. I'm currently
[00:05.820 --> 00:10.600]  Chief Privacy and Regulatory Officer at Omada Health. Before joining Omada Health, I was
[00:10.600 --> 00:15.400]  Chief Privacy Officer at the Health and Human Services Office of the National Coordinator for
[00:15.400 --> 00:20.960]  Health IT. Yes, that's a mouthful. You can just say ONC for short. And that is the agency that
[00:20.960 --> 00:26.020]  not only brought you regulated electronic health records, but also brought you app-based access to
[00:26.020 --> 00:30.900]  your own information. And we'll talk more about that later today. I'm really happy to be here
[00:30.900 --> 00:36.140]  today recording live for the Biohacking Village at DEF CON. As you know, the format of the show
[00:36.140 --> 00:41.460]  is to cover the basics of a topic and then open the mailbag on that topic. Today, we're covering
[00:41.460 --> 00:46.400]  how health information privacy is regulated in the U.S. and the difference between health
[00:46.400 --> 00:51.880]  information in the health care system and outside of it, like on social media. We're also going to
[00:51.880 --> 00:56.000]  cover why there are lots of news headlines on the topic and what the headlines mean for ordinary
[00:56.000 --> 01:02.200]  people. Let's get started. I think the best place to start is why do people want health information
[01:02.200 --> 01:07.700]  privacy? It's pretty simple. People want health information privacy to prevent them from being
[01:07.700 --> 01:12.660]  treated badly because of their health status. There's a few very current examples of that.
[01:12.660 --> 01:18.000]  Just look at Kim Kardashian's note about her husband's mental health situation. Or if you want
[01:18.080 --> 01:22.740]  a deeper dive, you can read Carrie Fisher's autobiography. Or you can check out on social
[01:22.740 --> 01:29.220]  media the Royal Highness's campaign to remove mental health stigma in Britain. All of those
[01:29.220 --> 01:34.460]  are areas where we have specialized privacy rules because we treat people badly when the health
[01:34.460 --> 01:38.500]  information gets out in public. And there's many, many areas as well, but those are three current
[01:38.500 --> 01:44.260]  examples. At the same time, it's really important to remember that here, a fifth of the way through
[01:44.260 --> 01:50.580]  the 21st century, digital health information can be used for really important purposes to
[01:50.580 --> 01:57.660]  help us address inequities, address discrimination, improve the care system. You can't fix what you
[01:57.660 --> 02:03.600]  can't measure. One example would be many years ago, we started measuring the rate of breast cancer
[02:03.600 --> 02:08.480]  screening in women. And because we could measure it and identify the physicians that were not
[02:09.140 --> 02:13.780]  ordering mammograms for their patients, we increased the rate of screening and we saved
[02:13.780 --> 02:18.600]  lives. That's a really early example. But some more current examples are things like
[02:18.600 --> 02:23.760]  using the data to measure what kind of languages the healthcare providers speak
[02:23.760 --> 02:28.960]  compared to their patients, or using the data to figure out immunization rates.
[02:30.300 --> 02:36.400]  So using it is important, but keeping it private is important, and therefore we have regulation.
[02:36.460 --> 02:40.440]  And I thought today I'd talk a little bit about how is health information regulated,
[02:40.440 --> 02:43.240]  and then open it up to questions from the mailbag.
[02:43.980 --> 02:46.780]  So the first thing I wanted to say is within the healthcare system,
[02:46.780 --> 02:51.280]  there's a very specific set of rules. You guys will all have heard the acronym HIPAA.
[02:51.380 --> 02:56.340]  It stands for Health Insurance Portability and Accountability Act. And you'll notice that there's
[02:56.340 --> 03:02.020]  no privacy in that acronym. Privacy is a side product of the original effort, which was to
[03:02.020 --> 03:08.080]  digitize the claims data so we could do this measurement. But we do have a very robust privacy
[03:08.080 --> 03:13.260]  rule. And in fact, people equate HIPAA with privacy. And the way that works is the digital
[03:13.260 --> 03:18.260]  health information within the healthcare system is designed by regulation to move around for
[03:18.260 --> 03:23.900]  ordinary healthcare purposes. For example, if you go to the doctor's office and you have insurance,
[03:23.900 --> 03:28.140]  you want your doctor to bill the insurance company without you having to do extra paperwork,
[03:28.140 --> 03:32.240]  or at least most people do. There are definitely a subsection of the American population that
[03:32.240 --> 03:37.680]  wants to manage it all themselves, but that's not most of us. And so that transaction,
[03:37.680 --> 03:42.620]  care transaction is all digital. And it goes from your doctor's office to your insurance company,
[03:42.620 --> 03:46.520]  so your doctor can get paid and you get billed whatever your co-insurance is. And we know that
[03:46.520 --> 03:50.760]  could be high. That's a different panel. But you don't have to do anything. You don't have
[03:50.760 --> 03:54.280]  to collect the data. You don't have to send it somewhere. It doesn't have to be printed out.
[03:54.280 --> 03:59.440]  And all that is designed to happen normally. In addition, the regulations are also designed
[03:59.440 --> 04:03.740]  to let us do this normalized measurement, to measure that breast cancer screening rate,
[04:03.740 --> 04:09.520]  to measure that immunization rates, to measure language, to measure how expensive it is. And
[04:09.520 --> 04:14.840]  there's lots and lots of examples of that. But the last thing is the regulations are designed
[04:14.840 --> 04:20.560]  to not allow the data outside of the healthcare system in an identifiable way without you giving
[04:20.560 --> 04:28.360]  permission to it. And I don't have time today to give you very specific and detailed technicalities
[04:28.360 --> 04:32.260]  of the regulations, but I will be providing a list of public resources where you can dig
[04:32.260 --> 04:37.400]  in yourself about that. That's the basics of within the healthcare system. But again, here we
[04:37.400 --> 04:42.960]  are, it's 2020, almost 2021, and we have lots and lots of health information that's either directly
[04:42.960 --> 04:47.900]  collected from individuals that's outside the healthcare system, like fitness trackers and
[04:47.900 --> 04:56.100]  social media sites, or where we use data that's like grocery shopping data or banking data or
[04:56.100 --> 05:03.600]  driving data to impute health information about people from other data sets. And all of that,
[05:03.600 --> 05:07.080]  not being in the regular healthcare system, is subject to a completely different regulatory
[05:07.080 --> 05:13.360]  scheme. So that regulatory scheme is basically about consumer privacy protection. So it's really
[05:13.360 --> 05:18.880]  the same rules apply to the health information Facebook collects as apply to the fashion
[05:18.880 --> 05:24.540]  information Facebook collects, or the dining information your social media account collects.
[05:24.540 --> 05:30.920]  It's all the same set of rules. And that basic construct is, did the organization tell you what
[05:30.920 --> 05:36.300]  it was going to collect? We can have a long conversation about notice. And were they honest
[05:36.300 --> 05:40.800]  about it? So were their actions what they said they were going to be? Or did they lie about their
[05:40.800 --> 05:45.880]  actions or mislead you about their actions? So it sounds really good in concept, but very, very hard
[05:45.880 --> 05:54.940]  to prove in the detail. The ability to prove those consumer violations lies primarily with
[05:54.940 --> 05:59.620]  the Federal Trade Commission, which is a federal agency not in the healthcare system, and as well
[05:59.620 --> 06:06.420]  with state attorneys general. Then as the 21st century has gone on from 2000 to the present,
[06:06.420 --> 06:11.720]  states have begun to take a role. And so we have state breach notification laws to protect us from
[06:11.720 --> 06:19.060]  consumer harm when our consumer data is collected and then breached or misused or misdisclosed.
[06:19.060 --> 06:25.640]  And we have states also beginning to take specific action about health information outside of the
[06:25.640 --> 06:30.760]  healthcare system. The last thing I want to say about this interplay between inside the healthcare
[06:30.760 --> 06:36.260]  system and outside the healthcare system has to do with states. So the federal law, HIPAA, is a
[06:37.220 --> 06:44.700]  it's the floor of regulation. And many states have very specific laws about, in general,
[06:44.700 --> 06:50.000]  clinical verticals. So they'll have specific laws about HIV AIDS or specific laws about mental
[06:50.000 --> 06:56.760]  health data or specific laws about domestic violence or sexually transmitted diseases.
[06:56.760 --> 07:03.160]  There's eight or so key areas, and they'll have a specialized rule about that and who gets to use
[07:03.160 --> 07:07.660]  it and what is permission required and do you have to consent to the release of your data.
[07:07.720 --> 07:12.980]  And all of those rules sit on top of HIPAA. So in the healthcare system, if you're a healthcare
[07:12.980 --> 07:17.060]  provider like Omada is, you have to think about HIPAA and you have to think about all your state
[07:17.060 --> 07:24.020]  laws. But again, those laws are about the healthcare system itself and not about particular kinds of
[07:24.020 --> 07:31.560]  data outside the healthcare system in the consumer setting. Finally, we have an emerging set of laws.
[07:31.560 --> 07:36.400]  Many people here will have heard of the California Consumer Privacy Act. And many people, I'm a
[07:36.400 --> 07:40.420]  California resident, will know that we have a ballot initiative coming to us in November where
[07:40.420 --> 07:45.700]  we can vote on an additional privacy law that, ironically enough, the privacy advocates are
[07:45.700 --> 07:49.120]  fighting about whether it's any good. That's also a conversation for another day. You can look that
[07:49.120 --> 07:54.680]  up on social media. But other states are looking to California to see what it does and whether
[07:54.680 --> 08:00.140]  there are things those states can copy from the California landscape to protect their own
[08:00.140 --> 08:05.740]  residents in the absence of federal regulation, which takes me to my final point.
[08:05.860 --> 08:10.680]  There have been a lot of headlines about this. Mr. Zuckerberg has been in front of Congress many
[08:10.680 --> 08:16.660]  times. Leaders from Google, leaders from Twitter, all have been in front of Congress talking about
[08:16.660 --> 08:22.540]  privacy. It is an important federal policy question. And the important question is,
[08:22.540 --> 08:30.580]  will the federal government change anything in the federal landscape to augment the FTC powers,
[08:30.580 --> 08:35.080]  to make the consumer rights more meaningful, to make the consumer rights more particularized,
[08:35.080 --> 08:39.860]  to healthcare information outside of the healthcare system? So these conversations
[08:39.860 --> 08:45.640]  started in the wake of Cambridge Analytica. A lot of us privacy advocates had great hopes
[08:45.640 --> 08:50.500]  for something happening. Remind you, Cambridge Analytica was two years ago now, a little bit
[08:50.500 --> 08:55.920]  more than two years ago now. So politics moves very, very slowly. It's an election year. We have
[08:55.920 --> 09:02.000]  COVID. Conventional wisdom says nothing's going to happen this year. And then it's very complicated
[09:02.000 --> 09:07.300]  politically. There are three or four committees on the Senate side, another half a dozen committees
[09:07.300 --> 09:13.600]  on the House side. Each of them has jurisdiction. If you went back to I'm just a bill from School
[09:13.600 --> 09:17.160]  House Rock, you would realize you have to have a bill on each side, then they have to
[09:17.160 --> 09:21.260]  come together and come to a compromise bill, and then both houses have to pass it again,
[09:21.260 --> 09:24.600]  and then the president has to sign it. So lots and lots of moving parts.
[09:25.200 --> 09:30.320]  Lots of opportunities, therefore, for people who are interested to still make their voices heard,
[09:30.320 --> 09:35.200]  and we'll talk about that a little bit later. Eventually, I think we will have something
[09:35.200 --> 09:39.520]  national, but it could take another two to four years. So I have somebody with me today to help
[09:39.520 --> 09:45.340]  me read the mail. My friend Nina. Nina, what's in the mailbag? First question.
[09:46.020 --> 09:52.640]  What are the big issues that are being debated in Congress about a nationwide privacy law?
[09:53.000 --> 09:59.320]  I think the two biggest issues are one is what we call preemption. So that is the idea that
[09:59.320 --> 10:05.840]  the federal law overtakes and supersedes any active state law. So if you think about the
[10:05.840 --> 10:12.080]  CCPA construct, if there were a federal law, and if it were preemptive, it would override whatever
[10:12.080 --> 10:17.700]  California enacts in its own law. So you can see that that could be really contentious because
[10:17.700 --> 10:22.720]  some states might want to be more aggressive or more protective of their consumers than other
[10:22.720 --> 10:28.820]  states or than the federal government. On the flip side, however, is the more laws there are,
[10:28.820 --> 10:32.760]  the harder it is to assure compliance. So from a consumer perspective, it might actually be
[10:32.760 --> 10:37.880]  better to have one single law that applies the same everywhere. So you don't have to be confused
[10:37.880 --> 10:43.000]  or have your rights change as you cross state lines. Many, many complex trade-offs there.
[10:43.240 --> 10:49.080]  The other big issue is should individuals be able to bring their own lawsuits for breaches of privacy?
[10:49.400 --> 10:54.260]  Now, there's a very long complicated history about lawsuits and privacy and damages.
[10:54.660 --> 10:59.060]  But at the end of the day, it's about how does this get enforced. So right now,
[10:59.060 --> 11:05.020]  outside of health care, the FTC brings an action. Consumers under their individual state laws may or
[11:05.020 --> 11:10.040]  may not have the right to sue. And in health care, consumers have no personal rights under HIPAA
[11:10.040 --> 11:15.980]  to sue. A federal law could change all that by giving individuals the right to sue. That can
[11:15.980 --> 11:21.320]  be a really effective enforcement mechanism, as has been true for automobile safety, for example.
[11:21.940 --> 11:28.580]  Right? Cars are safer because Ford got sued over the Pinto. But it also can make the cost of the
[11:28.580 --> 11:32.500]  business much more expensive. It can be a barrier to innovation because you have to worry about
[11:32.500 --> 11:39.100]  being sued. There are a lot of downstreams to widely available, empowering a lot of people
[11:39.100 --> 11:43.740]  to bring a lawsuit. So again, trade-offs there. Those are probably the two biggest issues that
[11:43.740 --> 11:49.420]  people cannot agree on. Why can't people get to yes?
[11:51.000 --> 11:55.940]  There are a lot of economic interests involved in that. So you can see that the trial attorneys
[11:55.940 --> 11:59.980]  want to make money off the lawsuits, but the small businesses and the innovation community
[11:59.980 --> 12:03.760]  and the venture capitalists want to keep growing new businesses with new ideas.
[12:03.760 --> 12:08.620]  And they don't want the threat of lawsuits hanging over their heads. Compliance can be complicated.
[12:08.860 --> 12:12.980]  There are philosophical differences. There are people who definitely believe in empowering
[12:12.980 --> 12:17.120]  consumers to sue, and people who don't believe in empowering consumers to sue.
[12:17.120 --> 12:22.460]  Those fall across the political spectrum. And that's probably why we can't get to yes,
[12:22.460 --> 12:29.500]  is there isn't enough people in any one particular place on that spectrum to balance the scales to a
[12:29.500 --> 12:33.240]  yes, right? You have to have a majority vote in both sides.
[12:34.320 --> 12:37.460]  So what's the impact of CCPA?
[12:38.400 --> 12:43.780]  So in the healthcare system, CCPA has a very specific carve-out for organizations that are
[12:43.780 --> 12:48.660]  actually already covered by HIPAA. For example, Omada would fall into that bucket, except for
[12:48.660 --> 12:53.960]  our public website that in a casual... you guys might be browsing it right now. But our program
[12:53.960 --> 12:59.000]  itself is healthcare delivery, and it's within HIPAA. But if you are a company who is collecting
[12:59.000 --> 13:05.220]  health information, for example, because you are running a business that offers consumers gift
[13:05.220 --> 13:09.520]  cards to answer surveys about their health conditions, that might be a business model.
[13:09.520 --> 13:14.820]  That's not within the healthcare system, and CCPA is going to apply. And all the rules of it are
[13:14.820 --> 13:20.680]  going to apply. Of course, it's a little bit of a moving target because the law was enacted a year
[13:20.680 --> 13:25.860]  ago. It took effect in January, but the regulations didn't take effect till July. And actually,
[13:25.860 --> 13:31.400]  they didn't get finalized till last week. And that might be upended by a ballot initiative,
[13:31.400 --> 13:36.100]  and who knows what's going to happen if there's court action about the ballot initiative.
[13:36.880 --> 13:42.280]  I'm not an expert on CCPA. I think it's something that's really important to people. But to me,
[13:42.280 --> 13:48.200]  the most important part of it from a consumer is knowing that I can go and say to that organization,
[13:48.200 --> 13:52.520]  what did you collect about me? And can I please have a copy of it? That's a really important
[13:52.520 --> 13:59.240]  thing for consumers who want to take action. I completely agree with that. So if anything,
[13:59.240 --> 14:06.160]  did COVID change? You know, COVID hasn't changed very much in the landscape, the overall regulatory
[14:06.160 --> 14:10.560]  landscape. There have been a couple of little things that have eased because of the public
[14:10.560 --> 14:16.200]  health emergency, but that easement is temporary. But I think in terms of health information, what
[14:16.200 --> 14:23.080]  the impact COVID has had is really given more people a stronger sense of the possibility
[14:23.080 --> 14:29.320]  that digital health has for us as a way of getting care, maintaining our health,
[14:29.320 --> 14:33.760]  getting the coaching or the assistance we need when we can't go to the doctor's office.
[14:33.760 --> 14:37.740]  And because of that, I mean, it's great for a digital health company like Omada, but because
[14:37.740 --> 14:43.560]  of that, people are now going to be thinking about their health information a lot more. That's one.
[14:43.560 --> 14:50.380]  The second one is I think that the arrival of big tech at the COVID moment with their
[14:51.060 --> 14:59.500]  wide variety of contact tracing apps, you know, that Facebook both runs ads for legitimate
[14:59.500 --> 15:05.240]  academic research about COVID and also runs not legitimate, you know, links to things that are
[15:05.240 --> 15:12.200]  not legitimate research. Arriving as it has two years after Cambridge Analytica, I think we're
[15:12.200 --> 15:17.440]  suffering from the skepticism that Cambridge Analytica brought to the doorstep of health
[15:17.440 --> 15:22.600]  information outside of HIPAA, really and truly. People are concerned about the contact tracing
[15:22.600 --> 15:28.380]  apps. The uptake is very low. It even bleeds over into human-to-human contact tracing, where I might
[15:28.380 --> 15:33.460]  call you, Nina, and say, hey, you know, it looked like you were at that concert, or did you know
[15:33.460 --> 15:36.940]  there was a big concert? And were you there? And who were you with? And who were they with? And
[15:37.500 --> 15:41.920]  that's, you know, contact tracing. We've been doing it for decades, really centuries,
[15:41.920 --> 15:46.220]  because we do contact tracing for sexually transmitted diseases that are contagious.
[15:46.320 --> 15:50.900]  And so we also have erosion of trust of the human-to-human contact tracing.
[15:50.900 --> 15:53.900]  And we'll suffer from that as a society for a while.
[15:55.940 --> 15:59.620]  How important is this issue to Congress?
[16:01.440 --> 16:03.020]  You know, it's a little bit of...
[16:03.020 --> 16:04.800]  I hope they get a drink of water before this question.
[16:05.420 --> 16:09.000]  You know, it's a little bit of Kentucky windage, right?
[16:09.080 --> 16:11.660]  Issues are important that constituents care about.
[16:12.860 --> 16:18.840]  And that's pretty much how the democratic process works. So, right now, constituents
[16:18.840 --> 16:25.540]  care about COVID. And some constituents care about election security, which is hugely important.
[16:27.040 --> 16:31.160]  We won't get a privacy anything this year, although I know there are still people working
[16:31.160 --> 16:35.520]  on little pieces of privacy. I saw a draft bill the other day about COVID and contact
[16:35.520 --> 16:41.760]  tracing apps about a month ago. But if you as a constituent think this is important,
[16:41.760 --> 16:46.520]  you should tell your congressperson, House or Senate. And in fact, if you have a senator or
[16:46.660 --> 16:50.240]  a representative who's on a committee of jurisdiction, you should most definitely tell
[16:50.240 --> 16:56.400]  them. If you think back to 2017, and the original attempts in the current administration to undermine
[16:56.400 --> 17:02.660]  the Affordable Care Act, who went to Congress? People with sick children and sick family members.
[17:02.800 --> 17:07.080]  And they were constituents. So, you know, you call over there, and they will ask what your zip code
[17:07.080 --> 17:13.740]  is. And you should be honest about that. I happen to have a representative who chugs along doing
[17:13.740 --> 17:18.500]  what I think is right without ever having me ever having to call her. But I can imagine being in a
[17:18.500 --> 17:24.500]  different state and having to call my representative every week. Or ask for an appointment for the
[17:24.500 --> 17:31.100]  office with local staff to say, Hey, did you know this is happening? And this is how it's impacting
[17:31.620 --> 17:36.980]  our community and me, and you should fix it. Noise squeaky wheels totally get the grease
[17:36.980 --> 17:42.760]  in politics. So that's when it becomes important. Perfect segue. So how can the
[17:42.760 --> 17:47.540]  biohacking community get involved and move the needle on issues in privacy?
[17:48.140 --> 17:53.460]  I think there are a few things I'm going to sort of try to list as many as I can in this materials,
[17:53.460 --> 17:59.500]  of bills that people might want to look at and committees of jurisdiction and where you go. But
[17:59.500 --> 18:04.460]  it's pretty simple. If you want to know, you go to finance.senate.gov and you look at the members
[18:04.460 --> 18:10.140]  and you figure out if they're your senator. And then you call your Senate's office, you call them
[18:10.140 --> 18:14.940]  and you say, I'm Lucia Savage, and I'm a resident of blah, blah, blah state. And I understand that
[18:14.940 --> 18:19.900]  you're looking at such and such an issue. Here's what I think about it. And if you have a bunch of
[18:19.900 --> 18:24.820]  friends, you know, you can do a house party and everyone can get on their cell phone. You can call
[18:24.820 --> 18:30.120]  serially. You can email, but it's probably not as carefully read or paid attention to as a phone
[18:30.120 --> 18:36.580]  call. You can do a house party after COVID. You can do a well, well, you could do a virtual house
[18:36.580 --> 18:41.180]  party, right? Like set it up on zoom, you can have all the contact information on a document that
[18:41.180 --> 18:47.900]  you're sharing. People can just, you know, call on mute, they were talking, just have a good time.
[18:49.260 --> 18:54.460]  So how can biohackers be more involved in the privacy needs and changes that are taking place?
[18:54.460 --> 18:59.380]  How do we get people to listen aside from talking to our congressional person?
[18:59.840 --> 19:06.960]  So I think stories are really, really important. People listen to stories. So I'm always compelled
[19:06.960 --> 19:12.340]  by, that's why I love that the reference to Kim Kardashian or Carrie Fisher, right? It gives us a
[19:12.340 --> 19:18.780]  context for why people have privacy issues. Why are we working on mental health? Why is there
[19:18.780 --> 19:25.300]  so much stigma? How do we remove the stigma? And we analogize that to privacy. So in your family
[19:25.300 --> 19:33.300]  or in your community, what has been a bad impact of poor privacy practices or poor security
[19:33.300 --> 19:38.920]  practices for that matter? How has it impacted people? Whether it's a neighbor who got doxxed
[19:38.920 --> 19:43.480]  and somebody, you know, something terrible happened to them or people that you know,
[19:43.480 --> 19:49.100]  or even yourself. That's how we got anti-doxxing legislation is people went to their representative
[19:49.100 --> 19:54.100]  and said, hey, this happened to me and there ought to be a law. So it's really about stories
[19:54.100 --> 20:00.420]  and it's very, politics is very personal. It's, you know, there are white papers, there are studies,
[20:00.420 --> 20:05.500]  there is data, we can explain all that, but it's really the compelling personal stories that
[20:05.500 --> 20:12.400]  tip the scales when somebody's on the edge. It's the story about the constituent that's going to
[20:12.400 --> 20:19.300]  push somebody where you want them to go. And since I don't know about everyone's personal life,
[20:19.300 --> 20:23.500]  who might be listening to this, it's really hard for me to know after that, like what would be a
[20:23.500 --> 20:30.080]  story that would be compelling. But I know I had a, my mother was bipolar and in all my work as a
[20:30.080 --> 20:34.880]  privacy advocate, and particularly the work I did in the last administration, I would always talk
[20:34.880 --> 20:40.620]  about that. Like, I get it. I get stigma. I get why this is important. And I get why we need to
[20:40.620 --> 20:49.900]  understand it better. Can I have my personal moment in here? Absolutely. So I give this story a lot
[20:50.720 --> 20:57.820]  about why I'm in healthcare and why this matters so much to me. My father, fire department of New
[20:57.820 --> 21:05.100]  York, paramedic captain, he was at 9-11. My mother, stage four, one of the rarest cancers
[21:05.100 --> 21:09.700]  in the world. And I learned about it. I learned about both of their, their health issues the same
[21:09.700 --> 21:18.100]  week. Oh my God. So my father's issue was that he has bilateral lung nodes from being at the World
[21:18.100 --> 21:25.800]  Trade Center. Right. And it's that, it's that very compelling story of I suddenly became a caretaker.
[21:25.800 --> 21:30.860]  My parents were super independent. They were doing their things. And now it's, I own all of
[21:30.860 --> 21:35.960]  their medical data. I have all of their physician numbers in my phone. And if something happens,
[21:35.960 --> 21:41.080]  I immediately make a call for them. And if I'm not available, we, they, they understand that
[21:41.080 --> 21:46.360]  they, the physicians will call me right after to give me that data and the update of their
[21:46.360 --> 21:51.540]  condition. So I'm, I'm complete agreement with the story is so compelling because we all have
[21:51.540 --> 21:56.760]  something that we can talk about and gives us that emotion to say, there needs to be a change.
[21:56.760 --> 22:01.180]  It's not a question. I'm not asking you and telling you that moment. Two things. If you
[22:01.180 --> 22:08.600]  think back about the 9-11 fund and you'll remember that Jon Stewart was on that like a dog on a bone
[22:08.600 --> 22:14.560]  week after week, it was embarrassing. He was intentionally embarrassing the politicians with
[22:14.560 --> 22:19.240]  these really compelling stories and it worked. So think about that. The other thing I would say,
[22:19.240 --> 22:23.660]  just on a personal note, Nina, and I don't know if we have time today, but you know, caretakers,
[22:23.660 --> 22:28.460]  we, we are, we baby boomers are a pretty big population and our kids are going to be taking
[22:28.460 --> 22:33.700]  care of us. And we should all have the ability as a caretaker, not just to call your parents
[22:33.700 --> 22:39.420]  doctor and have them call back, but have online on your phone access to their records. If they
[22:39.420 --> 22:44.740]  want you to have it. I had that for my mom through the Kaiser app, she authorized it. It meant I
[22:44.740 --> 22:48.960]  could help care for her. And she could call me and say, I don't understand this thing. What does
[22:48.960 --> 22:55.580]  it mean? And that is what digital health really means is not keeping data sacrosanct in a box
[22:55.580 --> 23:00.420]  under a cement floor, but putting it where it needs to be and where the patient wants it to be
[23:00.420 --> 23:05.640]  to get the care that they need. And if that's with a family member, let the family member know.
[23:05.640 --> 23:11.320]  If that's with a friend from church, let the friend from church know. If that's you as a person,
[23:11.320 --> 23:16.360]  you're a DIY healthcare person, and you want to broadcast your health status on that big
[23:16.360 --> 23:19.280]  billboard at Times Square, go right ahead. It's your data.
[23:21.120 --> 23:28.000]  How do the agencies that command and control healthcare, how do they work together or how do
[23:28.000 --> 23:33.140]  they not work together? Sure, that's a great question. And something I forgot earlier on,
[23:33.140 --> 23:39.720]  I wanted to be super clear about who really has authority over privacy. So in the federal realm,
[23:39.720 --> 23:46.160]  it is solely the Health and Human Services Office for Civil Rights. They write the privacy regulation,
[23:46.160 --> 23:51.820]  they write the security regulation, they investigate those, they fine people for them,
[23:51.820 --> 23:58.920]  and they enforce them. Now the FDA, which has a lot to say about digital tools, their remit or
[23:58.920 --> 24:05.380]  their jurisdiction is really about, is the thing safe, clinically safe, like it's not going to
[24:05.380 --> 24:11.900]  cause you, you know, a glucometer isn't going to burn your arm, or whatever. And is it doing
[24:11.900 --> 24:17.120]  clinically what you say it's going to do? So remember, it's the Food, Drug, Action, Cosmetics
[24:17.120 --> 24:24.120]  Act. And the enabling legislation, which dates back to Teddy Roosevelt, is about not having
[24:25.940 --> 24:34.060]  health products in the field that are dangerous. Right? And actually, the FDA covers veterinary
[24:34.060 --> 24:40.020]  science as well. So just think about that in totality. So I love Bakul. I know everybody
[24:40.020 --> 24:45.680]  over there, great crowd, really interested in privacy as a concept, but they don't actually
[24:45.680 --> 24:53.360]  regulate privacy. What they regulate is, did your device that has software in it,
[24:53.940 --> 24:59.400]  secure that software sufficiently that the device data is still accurate and has integrity?
[25:00.300 --> 25:07.780]  That's pretty much what they regulate. So that's the FDA. And then HHS-OCR writes the privacy rule,
[25:07.780 --> 25:13.620]  that applies to health insurance companies, employer-sponsored coverage. If you have a big
[25:13.620 --> 25:18.620]  employer, like you're at an Apple or Google or health sponsor coverage, physicians or any other
[25:18.620 --> 25:23.940]  provider who bills the government electronically, and then some additional intermediate companies
[25:23.940 --> 25:30.400]  called clearinghouses. There's always a lot of talk around the medical devices and the security
[25:30.400 --> 25:36.340]  that surround those. But one of the parts that are normally lacking in conversation are the
[25:36.340 --> 25:42.280]  electronic medical records. And you talked before about the ONC owning them. So what's,
[25:42.280 --> 25:49.600]  how does that link in with the agency? Sure. So the ONC has three specific powers. The first one
[25:49.600 --> 25:55.660]  is they write a regulation about what the software in a certified EHR has to do. And they're EHRs
[25:55.660 --> 26:01.020]  that are not certified, by the way. So if you have a certified EHR, it has to have these minimum
[26:01.020 --> 26:04.720]  functional requirements, and they've been getting more and more rigorous as time has gone by.
[26:04.720 --> 26:10.880]  The second thing they have is to educate the provider workforce, primarily, especially the
[26:10.880 --> 26:15.740]  small doctor's offices. Remember, while there's some really big systems, most healthcare is
[26:15.740 --> 26:19.900]  provided in very small business practices that have two or three physicians in them.
[26:19.900 --> 26:24.920]  So educate the physicians and the nurses and the people out in the field about how to safely,
[26:24.920 --> 26:31.680]  privately, and securely use EH, use certified EHRs to deliver care. And the third is to run
[26:31.680 --> 26:36.900]  the policymaking for the agency about both what that software package should be. It's a very
[26:36.900 --> 26:42.300]  unusual power, a federal agency that writes a prescriptive rule for software, but also,
[26:42.300 --> 26:49.900]  in general, about health information technology policy writ large. So for example, ONC has a
[26:49.900 --> 26:54.560]  specific duty of coordinating Office of the National Coordinator across agencies. And I might
[26:54.560 --> 27:01.600]  bring people to the table that would be the FDA and the FTC and Office of Civil Rights to stand up
[27:01.700 --> 27:08.260]  a tool that in fact exists. So on the FTC website is the mobile health app developer tool. And if
[27:08.260 --> 27:13.700]  you were to go to that tool, you would see in kind of a Q&A fashion, it moves you through a flowchart
[27:13.700 --> 27:18.560]  to help you make sure if you're a developer, you know which rules you have to deal with for
[27:18.560 --> 27:23.200]  the thing you're envisioning. So that's an example of coordinating across the agencies.
[27:23.340 --> 27:29.720]  Enforcement is not really a coordinating event in federal law. Generally, I'm making a very
[27:29.720 --> 27:35.420]  broad statement, but you know, OCR has its remit and a privacy breach is investigated by OCR and
[27:35.420 --> 27:41.120]  they investigate every single one that's reported to them. A safety violation by a device would be
[27:41.120 --> 27:47.680]  investigated by the FDA, if that makes sense. And then, of course, all of these agencies are within
[27:47.680 --> 27:53.700]  Health and Human Services, which is an agency run by Secretary Azar. And so how the agencies work
[27:53.700 --> 27:59.820]  together is really a factor of whether the secretary is making them work together and how
[27:59.820 --> 28:05.720]  much. Different secretaries have different approaches to that. The FDA is a very big agency.
[28:05.720 --> 28:09.260]  It's called an operating division. It's kind of freestanding and runs on its own, but the FDA
[28:09.260 --> 28:15.420]  administrator would be part of Azar's sort of kitchen cabinet or his cabinet. Similarly, CMS,
[28:15.420 --> 28:22.720]  operating division, kitchen cabinet. NIH, operating division, but in the cabinet. And then, ONC,
[28:22.720 --> 28:27.320]  Office for Civil Rights, actually report directly through the secretary, also in the cabinet,
[28:27.320 --> 28:32.140]  but literally under more of the secretarial vertical, if you can imagine that.
[28:32.940 --> 28:37.780]  So how do they work together? Let me just see if I can summarize it up. I think the staff work
[28:37.780 --> 28:43.280]  really well together when they're asked to, but people also have very specific portfolios and work
[28:43.280 --> 28:49.720]  that needs to get done. And so they really focus on that. So I want to be clear with people that
[28:49.720 --> 28:55.700]  you and I have met once and it was in a coffee shop and I watched you walk in and the conversation
[28:55.700 --> 29:04.280]  we had was extremely powerful. And I instantly knew that you had so much information that you
[29:04.280 --> 29:08.860]  needed to share it. And the, I feel like the community that we work in, we focus a lot on
[29:08.860 --> 29:11.860]  the medical devices because it's something very tangible that we can get our hands on.
[29:12.060 --> 29:19.100]  And this, even with all the knowledge that I have on how things function, this has engaged me and
[29:19.100 --> 29:23.300]  enlightened me. And now it's, okay, I can't focus so much here because they don't control this one
[29:23.300 --> 29:27.040]  thing that I'm working on. It's, I need to move over here. And maybe if I'm working over here,
[29:27.040 --> 29:33.960]  I can gauge this and make things happen. So that said, what other resources can we find
[29:34.520 --> 29:39.740]  for everything that you're talking about? So I'll put all these links in a document that you
[29:39.740 --> 29:45.380]  can hand out Nina, but I will tick off a few of them that are going to be in that document. The
[29:45.380 --> 29:51.340]  we published actually a long white paper for Congress. So let's just say it's like
[29:51.860 --> 29:59.300]  publication book level clearance and editorial accuracy for 2016 about the way health privacy
[29:59.300 --> 30:04.120]  is regulated in healthcare and outside of healthcare. And while the names of the companies
[30:04.120 --> 30:09.260]  may have evolved over time, Twitter is still Twitter. Facebook still operates the same way.
[30:09.260 --> 30:16.220]  None of the rules or laws that characterize that description have changed. So that is a public
[30:16.220 --> 30:21.140]  document. If you wanted to look for it right now, you'd Google ONC, non-covered entity report,
[30:21.140 --> 30:26.380]  and it would pop right up. Free, paid by the American taxpayer, no matter who else produces
[30:26.380 --> 30:33.000]  anything, the law firms, the consulting houses, the hacker community, this one is going to be
[30:33.000 --> 30:37.940]  the definitive source because it has to go through so many layers, including approval by the White
[30:37.940 --> 30:43.120]  House before it gets released to Congress. So that will be in there. I will provide some links
[30:43.120 --> 30:49.160]  to educational materials that ONC and Office for Civil Rights publish about more details about how
[30:49.160 --> 30:54.340]  HIPAA works, not only what people's individual rights are, like you as the caregiver, what are
[30:54.340 --> 30:58.720]  your rights for you and your parents to collectively get the information you need to help them with
[30:58.720 --> 31:04.420]  their care, but also for people to understand what are the ordinary disclosures that happen
[31:04.420 --> 31:08.340]  within the health care system to make it run between physicians, between physicians and health
[31:08.340 --> 31:13.280]  plans, etc. So there'll be some of that material in there. And then I'll probably link to some
[31:13.280 --> 31:19.460]  other think tanks in D.C. that are working on the federal privacy law space, and people can
[31:19.460 --> 31:24.740]  look at those organizations' websites and decide what's of interest to them, but it would be
[31:24.740 --> 31:30.100]  Brookings Institute, Future of Privacy Forum, Electronic Frontier Foundation,
[31:31.860 --> 31:36.320]  EPIC, Potentially American Enterprise, New America Foundation, they've all kind of
[31:36.320 --> 31:40.820]  worked in this space. So we'll put some links together that are those people's websites, and
[31:40.820 --> 31:49.820]  you can just go to them and check it out. Lucia, thank you so much. This is the stuff we don't
[31:49.820 --> 31:54.560]  talk about, and that is why this is so important. So thank you for coming. I completely and utterly
[31:54.560 --> 32:00.080]  appreciate your brain space. I'm really happy to be here. I think that the more people
[32:00.080 --> 32:04.220]  who can bring the stories to the floor, the more likely we are to have traction. There's
[32:04.440 --> 32:09.600]  a lot of times when it's the same 300 people having this conversation and bringing the new
[32:09.600 --> 32:14.580]  voices, especially of the next generation when they've been specifically impacted by this,
[32:14.580 --> 32:21.480]  or they understand the technology better than some of our older congresspeople. Awesome.
[32:21.480 --> 32:26.280]  Totally awesome. Thank you. You're welcome. Thanks for having me.
